Go Back   vb.org Archive > vBulletin Modifications > Archive > vB.org Archives > General > General Hosting/Server Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools
Server hacked and redirecting Details »»
Server hacked and redirecting
Version: , by Bernd Bernd is offline
Developer Last Online: Apr 2014 Show Printable Version Email this Page

Version: Unknown Rating:
Released: 09-03-2006 Last Update: Never Installs: 0
 
No support by the author.

Our server has recently been hacked, and when loading the forum index page it redirects to some silly page. i've checked for any code in the forum files that could redirect the forum, but there is none there. I've searched the vbulletin database and I couldn't find anything there either.

How do most hackers redirect pages once hacked? Do they edit the apache config files or something? How bad could the security breach be? Most important, what exploit might they have used?

Running fedora core 4
Plesk 8.01
Vbulletin 3.54

thanks for any kind of hints or answers.

Show Your Support

  • This modification may not be copied, reproduced or published elsewhere without author's permission.

Comments
  #2  
Old 09-03-2006, 01:29 PM
Paul M's Avatar
Paul M Paul M is offline
 
Join Date: Sep 2004
Location: Nottingham, UK
Posts: 23,748
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

What mods do you have installed ? have you tried disabling them ?
Reply With Quote
  #3  
Old 09-03-2006, 01:43 PM
Bernd Bernd is offline
 
Join Date: Apr 2005
Posts: 138
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

[vB 3.5.0] Thread Thumbnail
[vB 3.5.4] Gallery for vBulletin 3.5.X
[vB 3.5.4] vbBux / vbPlaza v1.5.8
[vB 3.5.0 Beta 1] vBExternal v1.6
Zero Tolerance - [ Uninstall Modification ]
and GARS (geeks article system, full version)

Hope it helps determine the cause. I haven't disabled the mods yet, but that isn't causing the redirect. When viewing the source of the redirecting page (html output of the forum index page) , there is no redirect there.
Reply With Quote
  #4  
Old 09-03-2006, 02:57 PM
blockbusted blockbusted is offline
 
Join Date: Apr 2006
Location: Indiana, USA
Posts: 36
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

If you can get into your CPanel (if you have one), check your site redirects.



It might have been changed there.
Reply With Quote
  #5  
Old 09-03-2006, 03:01 PM
Bernd Bernd is offline
 
Join Date: Apr 2005
Posts: 138
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I'm using plesk, and can still reach it. I'll check it out.
Reply With Quote
  #6  
Old 09-03-2006, 03:22 PM
Wild-Wing Wild-Wing is offline
 
Join Date: Dec 2005
Posts: 86
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

ok this has happend twice on the forum i admin on and its a stupid exploit in the thread titles that allows meta reditection. im not going to say how its done but ill pm you what to look for.

heres a fix for it
find in newthread.php:
if ($_POST['do'] == 'postthread')

then find:
'subject' => TYPE_STR,
change the TYPE_STR to TYPE_NOHTML
Reply With Quote
  #7  
Old 09-03-2006, 06:44 PM
Bernd Bernd is offline
 
Join Date: Apr 2005
Posts: 138
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

That seems to be correct, I noticed a weird thread with a meta refresh of some kind. Thanks for letting me know!
Reply With Quote
  #8  
Old 09-03-2006, 11:51 PM
DementedMindz DementedMindz is offline
 
Join Date: Jan 2006
Posts: 1,474
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

strange if this is the case where its happening to alot of people why wouldnt vbulletin patch it? or is it the fact its only happening when a certain hack is installed?
Reply With Quote
  #9  
Old 09-03-2006, 11:56 PM
Wild-Wing Wild-Wing is offline
 
Join Date: Dec 2005
Posts: 86
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

its only happening with the topxstats hack thats why they wont do anything about it.
Reply With Quote
  #10  
Old 09-03-2006, 11:57 PM
DementedMindz DementedMindz is offline
 
Join Date: Jan 2006
Posts: 1,474
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

well paul posted a fix didnt it work for you?

Unfortunately a good amount of the hackers seem to come from Turkey. When I ran a php site we always blocked Turkey ips cause there known for tryin this stuff. It is up to you if you want to use it or not.

just add the following to your .htaccess file:

Code:
deny from 62.29.0.0/17
deny from 62.56.128.0/22
deny from 62.85.128.0/19
deny from 62.108.64.0/19
deny from 62.113.0.0/19
deny from 62.184.58.0/27
deny from 62.185.166.64/26
deny from 62.184.178.96/29
deny from 62.186.77.0/26
deny from 62.201.192.0/18
deny from 62.229.128.0/24
deny from 62.229.130.0/24
deny from 62.244.192.0/18
deny from 62.248.0.0/17
deny from 64.18.138.0/24
deny from 64.28.128.0/20
deny from 65.182.7.0/24
deny from 66.178.5.0/24
deny from 66.178.52.0/24
deny from 66.205.36.0/22
deny from 69.30.204.0/23
deny from 80.71.128.0/20
deny from 80.88.138.224/27
deny from 80.88.141.160/27
deny from 80.251.0.0/20
deny from 80.251.32.0/20
deny from 81.6.64.0/18
deny from 81.8.0.0/17
deny from 81.21.160.0/20
deny from 81.22.97.0/24
deny from 81.31.193.224/29
deny from 81.31.195.112/29
deny from 81.31.195.136/29
deny from 81.31.195.216/30
deny from 81.31.196.172/30
deny from 81.31.197.16/29
deny from 81.31.197.64/30
deny from 81.31.197.128/30
deny from 81.31.198.152/29
deny from 81.31.198.216/29
deny from 81.31.199.72/29
deny from 81.31.199.140/30
deny from 81.31.199.160/29
deny from 81.31.200.64/29
deny from 81.31.200.76/30
deny from 81.212.0.0/14
deny from 82.145.224.0/19
deny from 82.151.128.0/19
deny from 82.222.0.0/16
deny from 83.66.0.0/16
deny from 83.166.48.0/28
deny from 84.11.37.192/26
deny from 84.17.64.0/19
deny from 84.44.0.0/17
deny from 84.51.0.0/18
deny from 85.96.0.0/12
deny from 85.153.0.0/16
deny from 85.158.96.0/21
deny from 85.159.64.0/21
deny from 85.235.64.0/24
deny from 86.108.128.0/17
Deny from 88.240.0.0/16
deny from 139.179.0.0/16
deny from 144.122.0.0/16
deny from 155.223.0.0/16
deny from 160.75.0.0/16
deny from 161.9.0.0/16
deny from 168.139.0.0/16
deny from 192.70.133.0/23
deny from 192.129.87.0/24
deny from 192.160.21.0/24
deny from 193.23.156.0/24
deny from 193.25.124.0/23
deny from 193.41.2.0/23
deny from 193.42.216.0/24
deny from 193.95.0.0/17
deny from 193.108.213.0/24
deny from 193.109.134.0/23
deny from 193.110.170.0/23
deny from 193.110.208.0/21
deny from 193.140.0.0/16
deny from 193.178.218.0/24
deny from 193.188.198.0/23
deny from 193.192.96.0/19
deny from 193.201.149.192/26
deny from 193.201.157.0/25
deny from 193.218.113.0/24
deny from 193.218.200.0/24
deny from 193.219.208.0/30
deny from 193.220.68.0/24
deny from 193.243.192.0/19
deny from 193.254.228.0/23
deny from 193.254.252.0/23
deny from 193.255.0.0/16
deny from 194.9.174.0/24
deny from 194.24.224.0/23
deny from 194.27.0.0/16
deny from 194.29.208.0/21
deny from 194.54.32.0/19
deny from 194.67.205.0/23
deny from 194.69.206.0/24
deny from 194.117.97.172/30
deny from 194.117.110.80/28
deny from 194.117.113.72/30
deny from 194.117.114.4/30
deny from 194.117.118.40/30
deny from 194.117.119.4/32
deny from 194.117.119.18/32
deny from 194.117.119.20/32
deny from 194.117.119.22/32
deny from 194.117.119.24/32
deny from 194.117.119.27/32
deny from 194.117.119.34/32
deny from 194.117.119.53/32
deny from 194.117.119.55/32
deny from 194.117.119.58/32
deny from 194.117.119.61/32
deny from 194.117.119.73/32
deny from 194.117.119.76/32
deny from 194.117.119.80/32
deny from 194.117.119.86/32
deny from 194.117.119.93/31
deny from 194.117.119.96/32
deny from 194.117.119.99/31
deny from 194.117.119.108/32
deny from 194.117.120.15/32
deny from 194.117.120.114/32
deny from 194.117.120.233/32
deny from 194.117.121.30/32
deny from 194.117.121.70/32
deny from 194.117.121.96/32
deny from 194.117.121.101/32
deny from 194.117.121.168/32
deny from 194.117.121.192/31
deny from 194.117.121.217/32
deny from 194.125.232.0/22
deny from 194.126.230.0/24
deny from 194.133.65.0/24
deny from 194.133.160.0/20
deny from 194.133.240.0/23
deny from 194.133.251.0/24
deny from 194.133.253.0/28
deny from 194.133.255.0/24
deny from 194.242.32.0/24
deny from 195.8.109.0/24
deny from 195.33.192.0/18
deny from 195.39.224.0/23
deny from 195.46.128.0/19
deny from 195.49.216.0/21
deny from 195.64.128.0/18
deny from 195.74.32.0/19
deny from 195.75.202.0/26
deny from 195.75.202.128/25
deny from 195.75.222.0/28
deny from 195.75.222.24/29
deny from 195.75.222.160/27
deny from 195.75.236.0/28
deny from 195.75.236.96/29
deny from 195.75.236.112/28
deny from 195.75.238.0/25
deny from 195.79.199.192/29
deny from 195.79.204.192/27
deny from 195.85.242.0/24
deny from 195.85.255.0/24
deny from 195.87.0.0/16
deny from 195.112.128.0/19
deny from 195.112.160.16/30
deny from 195.112.166.12/30
deny from 195.112.166.52/30
deny from 195.112.166.60/30
deny from 195.112.166.68/29
deny from 195.112.166.80/30
deny from 195.128.32.0/21
deny from 195.128.254.0/23
deny from 195.137.222.0/23
deny from 195.140.196.0/22
deny from 195.142.0.0/16
deny from 195.149.85.0/24
deny from 195.149.116.0/24
deny from 195.155.0.0/16
deny from 195.174.0.0/15
deny from 195.177.206.0/23
deny from 195.177.230.0/23
deny from 195.183.236.192/26
deny from 195.212.230.0/24
deny from 195.212.244.8/29
deny from 195.213.69.144/28
deny from 195.214.128.0/18
deny from 195.234.165.0/24
deny from 195.242.122.0/23
deny from 195.244.32.0/19
deny from 195.245.227.0/24
deny from 195.254.128.0/19
deny from 196.3.132.0/20
deny from 196.29.64.0/19
deny from 196.32.32.0/19
deny from 196.203.0.0/16
deny from 199.89.210.0/24
deny from 200.3.176.0/21
deny from 200.9.216.0/24
deny from 200.108.0.0/19
deny from 201.238.64.0/18
deny from 209.94.192.0/19
deny from 212.2.192.0/19
deny from 212.12.128.0/19
deny from 212.15.0.0/19
deny from 212.21.197.240/29
deny from 212.29.64.0/18
deny from 212.31.0.0/19
deny from 212.33.0.0/19
deny from 212.45.64.0/19
deny from 212.48.224.0/19
deny from 212.50.32.0/19
deny from 212.57.0.0/19
deny from 212.58.0.0/19
deny from 212.63.170.168/30
deny from 212.63.172.212/30
deny from 212.63.172.224/30
deny from 212.63.180.0/30
deny from 212.63.180.8/30
deny from 212.63.180.16/30
deny from 212.63.180.28/30
deny from 212.63.180.40/29
deny from 212.63.180.56/30
deny from 212.63.180.68/30
deny from 212.63.180.84/30
deny from 212.63.180.92/30
deny from 212.63.180.108/29
deny from 212.63.180.120/29
deny from 212.63.180.200/30
deny from 212.64.192.0/19
deny from 212.65.128.0/19
deny from 212.79.96.0/22
deny from 212.79.122.0/23
deny from 212.98.0.0/19
deny from 212.98.192.0/18
deny from 212.101.96.0/19
deny from 212.108.128.0/19
deny from 212.109.96.0/19
deny from 212.109.224.0/19
deny from 212.115.0.0/19
deny from 212.125.0.0/19
deny from 212.127.96.0/19
deny from 212.133.128.0/17
deny from 212.146.128.0/17
deny from 212.154.0.0/17
deny from 212.156.0.0/16
deny from 212.174.0.0/15
deny from 212.252.0.0/15
deny from 213.14.0.0/16
deny from 213.31.190.48/28
deny from 213.31.223.144/28
deny from 213.43.0.0/16
deny from 213.62.14.64/26
deny from 213.62.40.192/26
deny from 213.74.0.0/16
deny from 213.138.0.0/19
deny from 213.139.192.0/18
deny from 213.143.224.0/19
deny from 213.144.96.0/19
deny from 213.148.64.0/19
deny from 213.150.160.0/19
deny from 213.153.128.0/17
deny from 213.155.96.0/19
deny from 213.159.32.0/19
deny from 213.161.128.0/19
deny from 213.181.38.192/26
deny from 213.186.128.0/19
deny from 213.194.64.0/18
deny from 213.202.0.0/19
deny from 213.204.64.0/18
deny from 213.208.3.192/29
deny from 213.208.39.0/24
deny from 213.209.169.144/29
deny from 213.232.0.0/18
deny from 213.236.32.0/19
deny from 213.238.128.0/18
deny from 213.243.0.0/18
deny from 213.248.128.0/18
deny from 213.254.128.0/19
deny from 216.139.188.192/27
deny from 217.17.144.0/20
deny from 217.21.68.0/22
deny from 217.23.110.96/27
deny from 217.31.224.0/19
deny from 217.64.144.0/20
deny from 217.64.208.0/20
deny from 217.68.208.0/20
deny from 217.77.241.113/32
deny from 217.77.241.218/32
deny from 217.77.242.169/32
deny from 217.77.246.192/30
deny from 217.131.0.0/16
deny from 217.138.38.248/29
deny from 217.169.192.0/20
deny from 217.173.157.128/28
deny from 217.173.157.192/27
deny from 217.173.158.64/27
deny from 217.174.32.0/20
deny from 217.174.224.0/20
deny from 217.194.135.160/28
deny from 217.195.192.0/20
This is NOT going to stop a hacker, even from turkey. It will slow them down a bit.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 02:26 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04805 seconds
  • Memory Usage 2,319KB
  • Queries Executed 25 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)bbcode_code
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_post
  • (1)navbar
  • (6)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (9)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete